A second mass breach of Ecuadorian personal data is discovered on a German server
Security researchers have discovered yet another unsecured server exposing sensitive data on Ecuadorian citizens.
According to Bloomberg News, the server is located in Germany and is being used by an Ecuadorian company called DataBook. The server, hosting the details of some 17 million Ecuadorian people, was spotted by Noam Rotem and Ran Locar, two Israeli computer programmers, who do security research in their free time.
According to Locar, the data stored on the DataBook server appears to be the similar to the unprotected data discovered on the internet two weeks ago, although it may not be an exact copy of that data.
It includes names, phone numbers, addresses, email IDs, workplace information, family members, and many other highly personal details about Ecuadorian citizens.
Ecuador’s fast-response IT security team has already been notified about the breach, which alerted prosecutors about it and also asked them to investigate other firms supposedly illegally using the personal data of Ecuadorian citizens.
On September 11, cyber security firm vpnMentor revealed that its researchers — led by Noam Rotem and Ran Locar — had found an unprotected database on a computer server in Miami, exposing personal details of almost every Ecuadorean citizen on Internet.
The database contained personal details of almost all Ecuadorian citizens. The details that were exposed included names, dates of birth, address, marital status, family details, ID number, and other information.
Approximately 6.77 million of the total 20 million records in the database were of children under the age of 18.
A detailed analysis of the database revealed that it belonged to a local data analytics firm called Novaestrat. The information contained in the database likely came from multiple sources, including government’s civil registry, the Ecuadorian national bank BIESS and an automotive association called Aeade.
The Ecuador authorities later apprehended a senior executive of Novaestrat in connection with the breach. The investigating agencies raided Novaestrat’s office and arrested the company’s legal representative William Roberto G from the office. Several computers, storage devices, and electronic equipment were also seized during the raid.
The massive data leak also sparked a push in the country to pass new data protection legislation that would mirror the EU’s privacy regime and enable citizens to oppose and eliminate the use of their personal data by organizations.
After the bill is passed by the National Assembly, a new data protection authority would be set up in the country to enforce the law. The government admitted, however, that any new cyber security law would be unlikely to go into effect before early 2020.